Fuse Message Broker - Security Guide - JAAS Dual Authentication Plug-In

JAAS Dual Authentication Plug-In

Overview

The JAAS dual authentication plug-in behaves effectively like a hybrid of the username/password authentication plug-in and the certificate authentication plug-in. It enables you to specify one JAAS realm to use when a client connection uses SSL, and another JAAS realm to use when the client connection is non-SSL.

For example, this makes it possible to use certificate authentication for SSL connections and JMS username/password authentication for non-SSL connections, where the selection is made dynamically at run time.

Sample JAAS realms

Example 3.6 shows the definitions of two sample JAAS realms: a realm for non-SSL connections, activemq-domain; and a realm for SSL connections, activemq-ssl-domain.

Example 3.6. JAAS Login Entries for Secure and Insecure Connections

activemq-domain {
  org.apache.activemq.jaas.PropertiesLoginModule sufficient
      debug=true
      org.apache.activemq.jaas.properties.user="users.properties"
      org.apache.activemq.jaas.properties.group="groups.properties";
  org.apache.activemq.jaas.GuestLoginModule sufficient
      debug=true
      org.apache.activemq.jaas.guest.user="guest"
      org.apache.activemq.jaas.guest.group="guests";
};

activemq-ssl-domain {
  org.apache.activemq.jaas.TextFileCertificateLoginModule required
      debug=true
      org.apache.activemq.jaas.textfiledn.user="dns.properties"
      org.apache.activemq.jaas.textfiledn.group="groups.properties";
};

The activemq-domain login entry illustrates how to use multiple login modules in a single realm. With this configuration, JAAS tries first of all to authenticate a client using the PropertiesLoginModule login module. If that authentication step fails, JAAS then attempts to authenticate the client using the next login module, GuestLoginModule. The guest login module assigns a default username and group ID to the client and it always succeeds at authenticating—for more details, see JAAS Guest Login Module.

Enabling the JAAS dual authentication plug-in

To enable the JAAS dual authentication plug-in, add the jaasDualAuthenticationPlugin element to the list of plug-ins in the broker configuration file and initialize both the configuration attribute (to specify the JAAS realm used for non-SSL connections) and the sslConfiguration attribute (to specify the JAAS realm used for SSL connections).

<beans>
  <broker ...>
    ...
    <plugins>
      <jaasDualAuthenticationPlugin
              configuration="activemq-domain"
              sslConfiguration="activemq-ssl-domain" />
    </plugins>
    ...
  </broker>
</beans>

Comments powered by Disqus

Contents
Search